The random ramblings of a French programmer living in Norway...
← Hacking confessions (part 2)Random notes about Community Management →
  Hacking confessions (part 3)
Sun 5th September 2010   
Hacking confessions
 Part 1 Part 2 Part 3 

First a disclaimer: What I'm writing here now is related to events that happened a long time ago, at a period of time when it was relatively safe to do it, the worse that could happen would have been the expulsion from the school. If you try to do this kind of thing now, you may very well do some jail time and have heavy fines to pay as well.

The beginning of the end

If I'm not mistaken, this article will be the last in the confessions category. After that I stopped experimenting, mostly because I had no good reason for doing them anymore.
Anyway, last time I promised you how I managed to collect the login and passwords of everybody, well that was not a very complicated thing to do, it has been done numerous time, and it will still be done for a while because the principle of showing some interface where you are requested to use a keyboard to enter characters is a very flawed security method.

Some people claim that most of the methods that can be used to collect credentials are based on the fact you had at some point a physical access to the machine used to enter the password, and that it should not really scare you. Well, most of the piracy attempts are done by disgruntled employees, so you should really be scared.

Nowadays people use the fishing method: You receive a mail claiming that there's some issue on your account (bank account, social network profile, etc ...) with a link to a fake login page where people graciously provide all their login information. Now of course your mail client or browser tries to prevent this kind of thing, but there are so many ways you can trick the system that the best security is to not click on a link anyway, and use the official website/login information you were provided with when you created your account in first place.

But that's now, what I did was in 1991.

Quick Basic, here we are

In the previous part I wrote about all these little programs I wrote to simulate DOS commands. What I did not explain is how I wrote them: Well, it was not very high tech, it was all written in Quick Basic.

QuickBASIC 4.5 Welcome screen
QuickBASIC 4.5 Welcome screen
Some people strangely assume that for doing hacking or cracking you need to be a machine code wizard, or a C expert. Well, that's not true: All you need is something that is good enough to get the job done, and Quick Basic had the advantage of being super easy to learn, and the compiler generated a code good enough for my needs.

I did the same thing for collecting the passwords.

To connect to the Unix server we had to run some commands from the DOS interpreter to bring the AIX login screen. This was a simple text mode application displaying a ugly AIX ascii logo, and then you were asked for your login and password.

What I did was a simple capture of the display, then wrote in Basic a fac simile of this screen. All it would do is to record what was entered in a text file somewhere in my hidden folder, and then pretend to crash by displaying some random hardware error message before disabling itself and quitting.

On the second attempt the real AIX command would run and authenticate the user correctly, so most people would not even signal the issue, assuming it was just a normal hiccup.

With this I was able to collect about every single student's login and password on the first week at school.

Collecting the root password was a bit more complicated, because the teacher never used the dos machines, she was directly working on the Unix server - the one I wanted to get access to.

Well, all I had to do was a small variant of the program, instead of crashing on any attempt at connecting, it would display an "authentication failure" when my own login and passwords would be entered, and then crash if an attempt at login as "root" would be done.

From this point that was easy: I told my teacher I could not log on the system. She came checking what happened, I showed her what happened when I entered my credentials, she checked on the unix server that I could actually log correctly, then came back to the pc to see if something was wrong by entering the root credentials: Congratulation, you just got owned.

The morality of all that is that you can harden all you want in the operating systems, you can fix as many security breaches you want, the weakest point is still the human factor. If there is a way something can be exploited, it will be.

What about today?

It's supposed to be more difficult today to do this kind of stunt, because some security measures have been adopted.

At least that's the theory.

Do you know how you can recognize the real Windows login page from a fake one? That's easy, all you need is to try to press CTRL+ALT+DELETE: If you see the Windows Task Manager appear, then it means you are not on the real Windows login page, you are just on an application that pretend to be it.

Of course, like me I'm sure you ALWAYS try to press these keys when you log on the machine, when you wake up the computer from the screen saver, etc... well I don't. I should but I don't.

How difficult would it be for me to check which screen-saver my colleague at work is using, and while he is gone for the lunch break to just install a small program that just runs the screen saver and when the mouse is moved show a fake authentication screen?

That would be trivial.
Hacking confessions
 Part 1 Part 2 Part 3 

comments powered by Disqus